On December 23, the House and Senate Appropriations Committee agreed to a $1.7 trillion omnibus spending bill that funds government operations through the fiscal year 2023. On December 29, President Biden signed it. The 4,155-page bill reflects an already agreed-upon $858 billion for defense spending and an additional $800 billion for non-defense spending, including several prominent cybersecurity items.
US Senator Chris Murphy (D-CT), chair of the Subcommittee on Homeland Security, said, “This bill is a reasonable compromise, and I’m proud of the investments it would make in the responsible management of our border, the protection of our nation from cyber threats, and the protection of our coastlines and airports.”
On the House side, Homeland Security Subcommittee Chairwoman Lucille Roybal-Allard (D-CA) said, “This year’s appropriations bill for the Department of Homeland Security makes historic investments in America’s domestic, maritime, and border security while also protecting critical cyber and physical infrastructure and supporting disaster relief.”
Key cybersecurity provisions in the bill
Cybersecurity is referenced dozens of times in the bill, highlighting how routine cybersecurity spending has become in the federal government. The following cybersecurity provisions in the spending bill are noteworthy for their prominence, the dollar amounts involved, their first-time appearance in the annual appropriations process, or the emphasis lawmakers place upon them.
- CISA Funding: The bill allocates $2.9 billion for the Cybersecurity and Infrastructure Security Agency (CISA), $313.5 million or 12% above the fiscal year 2022 levels and $396.4 million above the President’s budget request. Among some of the specific CISA funding flagged by lawmakers are
- More than $1.7 billion for cybersecurity efforts that include “the protection of civilian federal networks that also benefit state, local, tribal and territorial (SLTT) government networks”
- $214.2 million to further advance CISA’s Cybersecurity Operations, encompassing, among other things, a $17 million increase for the Joint Cyber Defense Collaborative (JCDC)
- A $16 million increase for the Multi-State Information and Analysis Center, for a total of $43 million for the center
- $46 million for “threat hunting and response capabilities” across federal, SLTT, and critical infrastructure networks
- $17 million for “emergency communications preparedness”
- An additional $32 million for “increasing regional operations capabilities”
- Additional Ukraine Supplemental Appropriations Act, 2023. This bill, included as part of the omnibus spending package, allocates $50 million to address cybersecurity threats from Russia and other malicious actors.
- Office of Personnel Management: The spending package gives $422 million for the Office of Personnel Management to “address cybersecurity and hiring initiatives,” representing an increase of $49.2 million.
- National Science Foundation: The legislation provides $69 million for the National Science Foundation’s CyberCorps program, a $6 million increase from last year. The program provides students with scholarships if they agree to work for the government in cybersecurity after graduation.
- Treasury Department: The bill allocates $100 million in supplemental funds for salaries and expenses for enhanced cybersecurity for systems operated by the department.
- Office of the National Cyber Director: The bill provides $21,926,000 in funding for the Office of the National Cyber Director.
- Secret Service funding: The bill allocates $23 million for and reauthorizes the Secret Service to continue operating the National Computer Forensics Institute, which serves as a national training center for law enforcement officials to learn methods for investigating and combating cyber and electronic crimes.
- Commerce Department funding: The legislation allocates $35 million specifically for technology modernization and cybersecurity risk mitigation for the department.
- Department of Homeland Security (DHS) funding: The bill allocates $3 million for the DHS Intelligence and Cybersecurity Diversity Fellowship Program.
TikTok banned on executive branch phones
Despite ongoing efforts by China’s ByteDance to forge a compromise agreement with the Committee on Foreign Investment in the US (CFIUS) to assuage the national security concerns surrounding its popular TikTok video app, the spending bill prohibits the use of TikTok on executive agency phones. The legislation requires the Office of Management and Budget (OMB), in consultation with the administrator of general services, the director of CISA, the director of national intelligence, and the secretary of defense, to develop within two months standards and guidelines for executive agencies requiring the app’s removal.
Following the bill’s enactment, the chief administrative officer of the US House of Representatives banned TikTok from the phones of House members and staff effective immediately. A TikTok spokesperson said, “We’re disappointed that Congress has moved to ban TikTok on government devices — a political gesture that will do nothing to advance national security interests — rather than encouraging the administration to conclude its national security review. The agreement under review by CFIUS will meaningfully address any security concerns that have been raised at both the federal and state level.”
Limitations on Chinese, North Korean, and Iranian procurement
The bill stipulates that no government agency may use their funds to buy telecom equipment from Chinese tech giants Huawei or ZTE for “high or moderate impact information systems,” as determined by the National Institute of Standards and Technology (NIST).
It further states that agencies cannot use any of their funds for technology, including biotechnology, digital, telecommunications, and cyber, developed by the People’s Republic of China unless the secretary of state, in consultation with the USAID administrator and the heads of other federal agencies, as appropriate, determines that such use does not adversely impact the national security of the United States.
Moreover, no agency can spend funds on entities owned, directed, or subsidized by China, Iran, North Korea, or Russia unless the FBI or other appropriate federal entity has assessed any risk of cyber espionage or sabotage associated with acquisitions from these entities.
Report on ransomware and other cyber-related attacks by foreign parties
The bill incorporates the Ransomware Act, which requires the Federal Trade Commission (FTC) to deliver to Congress in 2025 and 2027 a report that spells out the number and types of ransomware incidents or other cyberattacks from China, North Korea, Iran, or Russia. It also invites the FTC to share information on litigation related to these incidents and recommend new laws and business practices to strengthen the resilience of US organizations against digital threat actors.
Ensuring medical device cybersecurity
Finally, the bill amends the Federal Food, Drug, and Cosmetic Act to make medical device makers meet specific cybersecurity standards. Among the requirements is submitting a plan to the secretary of the Food and Drug Administration to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
The manufacturers must also ensure their devices and associated systems are secure and release post-market software and firmware updates and patches. The device makers are further required to provide a software bill of materials (SBOM) to the secretary of the FDA that includes all off-the-shelf, open-source, and critical components used by the devices.
The bill further requires the FDA to provide additional resources and information on improving the cybersecurity of medical devices within 180 days and annually thereafter, including information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers. Within one year, the Government Accountability Office (GAO) is required to issue a report that identifies the challenges faced by healthcare providers, health systems, patients, and device manufacturers in addressing vulnerabilities and how federal agencies can strengthen coordination to improve the cybersecurity of devices.